From food rations to marriage certificates, entrance exams to train ticket concessions, mobile phone cards to banking, Indians are now being asked to produce a 12-digit Aadhaar number to access both government and private sector services.
This number is connected to their fingerprint and iris scans that are stored in a centralised database. As of September 2016, this database held the demographic and biometric information of more than 105 crore people – more than 80% of India’s population, and three times the population of the United States.
India’s Unique Identification project is the world’s largest biometrics-based identity programme. Initially, the project had a limited aim – to stop theft and pilferage from India’s social welfare programmes by correctly identifying the beneficiaries using their biometrics. But now, the use of Aadhaar is expanding into newer areas, including business applications.
As the uses of Aadhaar proliferate, what are the rewards and risks?
Over the next week, a special series on Scroll.in will take a closer look at the many dimensions of Aadhaar, from its use for social welfare, to its expansion in the private sector, to concerns over privacy and data violations.
First, a quick comparison with the Social Security Number of the United States. The nine-digit number, which is used widely by government agencies in the US, is seemingly as ubiquitous as Aadhaar. It is often used as an example of an advance economy successfully doing something similar to India’s unique identity project. But there are important differences between the two, starting with the fact that the Social Security Number is, well, not an identity number.
Aadhaar is an identification number. Social Security Number is not.
The Social Security Number has its origins in the years of the Great Depression. During this period of economic recession in the US, the Roosevelt government launched the “New Deal”, a series of programmes to provide relief and employment to the poor.
In 1936, under the Social Security Act, it began using a nine-digit number, the Social Security Number, to track the earnings of workers and compute the amount of social security benefits to be credited to their accounts.
Over the years, the ease of using the number led more government agencies to incorporate it in their records. In 1961, for instance, the Internal Revenue Service began using the Social Security Number for taxpayer identification, similar to the Permanent Account Number in India.
With no legal restrictions on use of the Social Security Number by private companies, several businesses such as credit bureaus started asking individuals for their Social Security Number and storing it.
But in 1977, the Carter administration clarified that while it may used to be verify whether an individual had the legal permit to work, the Social Security Number could not serve as an identification document.
The Social Security Administration website states in a 2009 bulletin: “The card was never intended to serve as a personal identification document – that is, it does not establish that the person presenting the card is actually the person whose name and SSN appear on the card.”
By contrast, Aadhaar has been designed as a single, universal, digital identity number that any registered entity, whether public or private, can use to “authenticate” an Indian resident. Anyone who has lived in India for 182 days can enroll in Aadhaar for proof of identity, while only citizens and those authorised to work in the US can obtain a Social Security Number.
Aadhaar authenticates a person. The Social Security Number does not.
Aadhaar authenticates a person by matching his or her demographics or biometrics with the records in its database. The government says this will help prevent identity fraud – for example, no one will be able to collect wages or food subsidies in another person’s name.
The Social Security Number was never intended for authentication purposes and has not been built to do this on a national scale. It matches a name and associated Social Security Number against its records only in limited circumstances, such as before issuing a replacement Social Security Number, or establishing a claims record.
It “does not verify an individual’s identity”, notes the Social Security Administration website, explaining the verification methods.
Aadhaar captures biometrics. The Social Security Number does not.
Aadhaar collects biometrics, which include the scan of all fingerprints, face and the iris of both eyes. Aadhaar Act’s section 2(g) states that “other biological attributes” may be collected in the future, a provision that was intensely debated in Parliament.
In contrast, when the Social Security Number was created in the 1930s, the US government decided not to collect fingerprints. “The use of fingerprints was associated in the public mind with criminal activity, making this approach undesirable,” notes the Social Security Administration website. The Social Security Number is thus printed on a small paper card and does not carry even a photograph.
In recent years too, the Social Security Administration has restrained from collecting biometrics of residents. In 2007, when the Intelligence Reform and Terrorism Prevention Act asked the SSA to improve the security of Social Security Number cards, the SSA considered adding the holder’s photograph or biometrics to the card but eventually decided against it.
“A biometric identifier, such as a fingerprint, can be an effective and highly accurate way to establish the identity of an individual, but it can also facilitate a much higher degree of tracking and profiling than would be appropriate for many transactions,” said Marc Rotenberg, the president of Electronic Privacy Information Center, a research organisation, in a testimony to the House of Representatives.
He added: “The problems that will arise when biometric identifiers are compromised are severe. What will happen at the point that your biometric identifiers no longer identify you?”
Around 2011, American authorities considered introducing a new biometrics-linked identity card for work authorisation for residents. Called the Biometric Enrollment, Locally-stored Information, and Electronic Verification of Employment or BELIEVE card, it aimed capture fingerprints or scans of veins on the back of hands.
BELIEVE card supporters presented it as necessary for immigration reform but many opposed it. “We pointed out that a biometrics ID system would be expensive, intrusive and ineffective, and requiring such an ID card would fundamentally transform the information demands the US government places on its citizens,” said Michael Froomkin, a professor of law at Miami University.
Ultimately, the proposal was dropped.
Aadhaar links databases. The Social Security Number does not.
One of the key concerns around Aadhaar is that the government has “seeded”, or introduced the number in multiple databases, which makes it easier for government agencies to converge personal information of individuals across databases.
Millions of Aadhaar numbers have been linked to the bank records, ration lists, educational records, and telecom documents of individuals. New analytical data techniques mean this “big data” could reveal much more about a person than standalone data could in the past.
The PRS Legislative Research has pointed out the Aadhaar Act of 2016 does not specifically prohibit law enforcement and intelligence agencies from using the Aadhaar number to search various datasets. This could lead to inappropriate profiling and innocent individuals identified incorrectly as potential threats by law agencies could face harassment.
There is no seeding done using the Social Security Number. Federal agencies and private entities that collect the Social Security Number for a specific service store the number at the organisational level. The US government has cautioned against the use of the Social Security Number as a single, unique identifier.
For instance, the Department of Homeland Security in 2007 directed its officials: “Department of Homeland Security programs shall not collect or use an SSN as a unique identifier; rather, programs shall create their own unique identifiers to identify or link information concerning an individual.” The Department of Defence removed SSNs from military identity cards by 2011, and instead issued departmental-level IDs.
The emphasis is on using different identifiers for specific purposes, to reduce the risks associated with a single identifier.
Aadhaar does not have privacy safeguards quite in the same way as the Social Security Number.
In response to growing concerns over the accumulation of massive amounts of personal information, the US government passed the Privacy Act of 1974. The law was passed in recognition of the dangers of the widespread use of Social Security Numbers as universal identifiers.
Subsequently, the Computer Matching and Privacy Protection Act of 1988 tightened regulation, by providing for the establishment of Data Integrity Boards at each agency.
India does not have a privacy law either at the national or state level. As per section 8 of the Aadhaar Act, requesting agencies are required to obtain the consent of individuals before collecting their identity information and inform them of what information will be shared. But as per section 47, a person whose information is collected and shared without their consent cannot invoke the criminal penalty. The Act says such a complaint can only be made by Unique Identification Authority.
Further, when the Unique Identification Authority of India authenticates the identity of individuals against the Aadhaar database, it generates millions of authentication logs every day, containing the request received, the response, and the metadata related to the transaction.
The Authority retains the authentication data for six months, and archives it for five years. It also requires the requesting entities – both public agencies and private companies – to maintain the logs, including the Aadhaar number, for two years, and then archive it for five years, and even longer in case of a court order.
Experts caution against the retention of data for such long periods. Data breaches could potentially violate people’s privacy. In 2014, European Union’s highest court ruled that data retention is illegal.
Aadhaar is designed to be used by private companies. The Social Security number was not, but its use by the private sector has led to identity theft.
Identity theft affects over 90 lakh Americans every year.
Over the years, commercial enterprises, particularly in the financial services sector, have created a system of files containing the personal and financial information of a majority of the American adult population, based on their Social Security Numbers. This information is sold and traded freely, in some instances leading to identity theft, particularly of elderly pensioners and students. Privacy expert Rotenberg has described financial companies as “among the strongest opponents of SSN restrictions.”
A major government report on privacy in 1973 said that legislation should be adopted prohibiting use of the Social Security Number “for promotional or commercial purposes”.
In most states, legally, an individual is required to provide their Social Security Number to a business only if the transaction requires so under Internal Revenue Service or federal Customer Identification Program rules. A few states such as Colorado, Arizona and California have passed laws that restrict the disclosure and use of the Social Security Number by private actors.
In contrast, Aadhaar has been designed for use by both public and private entities. Billionaire software entrepreneur Nandan Nilekani, who is the founder chairperson of Unique Identification Authority of India, while explaining the differences between Aadhaar and the Social Security Number, said Aadhaar had been designed “as an open platform on which you can build applications”.
In a foreword to a Credit-Suisse report, he noted that the use of Aadhaar by the financial sector could open up a $600 billion business opportunity.
The Unique Identification Authority of India has already entered into agreements with a number of companies providing authentication and identification services using Aadhaar as a platform.
Aadhaar functioned without a legal framework till recently. The Social Security Number was created through a law.
Since its inception, the Social Security Number has been governed by the Social Security Act of 1935.
In contrast, the Aadhaar project functioned without a legal framework for seven years since it was launched by the United Progressive Alliance government in 2009. It was run under an executive order, which meant Parliament had no oversight over it.
An Aadhaar Bill was introduced in 2010 but it was rejected by a parliamentary committee over legislative, security, and privacy concerns. In March 2016, the National Democratic Alliance government passed the Aadhaar Act as a Money Bill, bypassing the Rajya Sabha – a move that was widely criticised.
The use of Aadhaar is expanding. The use of the Social Security Number is getting restricted.
The Privacy Act of 1974 makes it unlawful for a governmental agency in the US to deny a right, benefit, or privilege merely because the individual refuses to disclose his Social Security Number, except when disclosure is required by federal statute.
Section 7 of the Act provides that any agency requesting an individual to disclose his Social Security Number must “inform that individual whether that disclosure is mandatory or voluntary, by what statutory authority such number is solicited, and what uses will be made of it.”
Given privacy concerns over the use of Social Security Numbers, governments have passed several laws and orders since 1996 to restrict and limit its use and collection.
The Social Security Administration website says state entities have begun to delete Social Security Numbers on electronic public records. An executive order of 1943 that required federal agencies to use the Social Security Number when establishing a system of permanent account numbers was rescinded by an Executive Order, which made such use optional in 2008.
Several US states have also passed laws. New York and West Virginia have statutes that limit the use of the Social Security Number as a student identity number. Kentucky allows students to opt out of the use of Social Security Numbers. Arizona law requires companies to give a right to users to opt out. California prohibits businesses from printing Social Security Numbers on bills, and companies must notify individuals in case of data breaches.
The Intelligence Reform and Terrorism Prevention Act of 2004 prevented the printing of Social Security Numbers on driver licenses and other government- issued identity cards. A 2015 law prohibited the inclusion of Social Security Numbers on Medicare cards, though this has not yet been achieved.
In contrast, since the first Aadhaar number was issued in 2010, the government in India has tried to link maximum schemes and benefits to Aadhaar, pausing briefly when the Supreme Court issued orders restricting the government from making Aadhaar compulsory.
The Supreme Court passed at least six orders since 2013 saying the government cannot require people to register for an Aadhaar number and no one can be deprived of a government service for not having an Aadhaar number.
But under section 7 of the Aadhaar Act, the government can ask a resident to produce Aadhaar for any “benefit, subsidy or service”, which has made the ambit of the project very wide. Now even private companies have incorporated the Aadhaar number in their systems.
The current trajectories of two ubiquitous numbers – Aadhaar and the Social Security Number – appear to be in opposite directions.